Versions Compared

Old Version 1

changes.mady.by.user Vahid Hashemian

Saved on

compared with

New Version 2

changes.mady.by.user Vahid Hashemian

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Status

Current state"Draft"

Discussion thread: here

...

Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).

Motivation

Note: The discussion in this KIP applies to Java based (new) consumer only as the old consumer does not have the security feature.

...

 If we make the change suggested below, the command runs successfully and reports the group offsets.

 

Proposed Changes

The change proposed by this KIP is very simple: to lower the minimum required permission of the OffsetFetch API from Read to Describe. These minimum required permissions are hard-coded in kafka.server.KafkaApis.scala inside each API handler method. For example, the part that enforces the minimum required permission for the OffsetFetch API currently looks like this:

...

Code Block
languagescala
if (!authorize(request.session, Describe, new Resource(Group, offsetFetchRequest.groupId))) 
          offsetFetchRequest.getErrorResponse(requestThrottleMs, Errors.GROUP_AUTHORIZATION_FAILED)

 

Additional Food for Thought

As I was experimenting with the ACLs for this KIP I made some observations that made me wonder about the rationale behind their current ACL settings; and whether they need adjustments too: 

...

In general, As a result of this change, Kafka admins may need to revisit the relevant ACLs and update them if necessary.

 

 

Rejected Alternatives